The ICO has warned employees about the potential consequences of illegally sharing personal data that they have access to as part of their job.

The warning came after a recruitment manager was prosecuted and fined for illegally disclosing the personal information of job applicants to a third party employment agency.

Stuart Franklin, 39, of Lickey End, West Midlands, pleaded guilty to an offence under s55 of the Data Protection Act when he appeared at Birmingham Magistrates Court.

The court was told Franklin was employed by the data controller, HomeServe Membership Ltd, as a recruitment manager.

During his time at the Walsall-based domestic services company, he was found to have sent copies of 26 CVs containing the personal data of applicants seeking employment with HomeServe to an external recruitment firm, without a business need to do so.

The data controller was alerted to suspicious activity when it discovered that some candidates who had already applied for jobs directly to HomeServe were subsequently also submitted as applicants from the third party agency.

Franklin was fined £573 and ordered to pay costs of £364 and a victim surcharge of £57, totalling £994 to be paid within seven days.

Speaking after the case, ICO Head of Enforcement Steve Eckersley said:

“Passing on other people’s personal information that you have access to as part of your job can often be against the law, unless you have their consent or valid grounds for doing so.

“We’re asking people to stop and think about the consequences before taking or sharing information illegally. Most people know it’s wrong but they don’t seem to realise it’s a criminal offence and they could face prosecution.

“What people might think is a minor mistake could lead to the loss of their job, a day in court and a fine.”

Notes to Editors

The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

The General Data Protection Regulation (GDPR) is a new law that will replace the Data Protection Act 1998 and will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty on a data controller of up to £500,000.

Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

fairly and lawfully processed;

processed for limited purposes;

adequate, relevant and not excessive;

accurate and up to date;

not kept for longer than is necessary;

processed in line with your rights;

secure; and

not transferred to other countries without adequate protection.

The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications. There are specific rules on:

We aim to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations.

Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.

Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).

To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.